aws-iam-language-server 0.0.15 → 0.0.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aws-iam-language-server",
-  "version": "0.0.15",
+  "version": "0.0.16",
   "type": "module",
   "bin": "./src/server.js",
   "publisher": "MichaelBarney",
@@ -16,6 +16,78 @@
     "onLanguage:terraform"
   ],
   "icon": "./images/iam.png",
+  "contributes": {
+    "configuration": {
+      "title": "AWS IAM Language Server",
+      "properties": {
+        "aws-iam-language-server.diagnostics.DUPLICATE_KEY.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn on duplicate statement keys."
+        },
+        "aws-iam-language-server.diagnostics.UNRECOGNIZED_KEY.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn on unrecognized entries in a statement."
+        },
+        "aws-iam-language-server.diagnostics.MISSING_EFFECT.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn when a statement is missing the required Effect entry."
+        },
+        "aws-iam-language-server.diagnostics.MISSING_ACTION.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn when a statement is missing the required Action or NotAction entry."
+        },
+        "aws-iam-language-server.diagnostics.MISSING_RESOURCE_OR_PRINCIPAL.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn when a statement is missing both Resource/NotResource and Principal/NotPrincipal."
+        },
+        "aws-iam-language-server.diagnostics.INVALID_EFFECT.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn when Effect value is not Allow or Deny."
+        },
+        "aws-iam-language-server.diagnostics.DUPLICATE_SID.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn on duplicate Sid values across statements."
+        },
+        "aws-iam-language-server.diagnostics.INVALID_SID.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn when Sid contains invalid characters."
+        },
+        "aws-iam-language-server.diagnostics.UNRECOGNIZED_ACTION.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn when an action does not match any known IAM action."
+        },
+        "aws-iam-language-server.diagnostics.DEPENDENT_ACTION.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn when an action requires dependent actions that aren't granted in the same statement."
+        },
+        "aws-iam-language-server.diagnostics.INVALID_PARTITION.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn on invalid or missing partition in a resource ARN."
+        },
+        "aws-iam-language-server.diagnostics.INVALID_REGION.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn on invalid region for the specified partition."
+        },
+        "aws-iam-language-server.diagnostics.INVALID_ACCOUNT.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Warn when account ID is not 12 digits."
+        }
+      }
+    }
+  },
   "main": "./src/extension.js",
   "scripts": {
     "start": "node src/server.ts --stdio",

package/readme.md

@@ -15,6 +15,15 @@ It supports policies written in
 
 Install the [extension](https://marketplace.visualstudio.com/items?itemName=MichaelBarney.aws-iam-language-server).
 
+#### Config
+
+```json
+{
+  // replace ${DIAGNOSTIC_RULE} with a diganostic rule id, like DEPENDENT_ACTION
+  "aws-iam-language-server.diagnostics.${DIAGNOSTIC_RULE}.enabled": true
+}
+```
+
 ### Neovim, etc
 
 You can install the language server globally with npm:
@@ -30,6 +39,15 @@ vim.lsp.config("aws-iam-language-server", {
   cmd = { "aws-iam-language-server", "--stdio" },
   filetypes = { "yaml", "yaml.cloudformation", "json", "json.cloudformation", "terraform", "tofu" },
   root_markers = { ".git" },
+  -- optional, only if you want to override the defaults
+  settings = {
+    ["aws-iam-language-server"] = {
+      diagnostics = {
+        -- replace ${DIAGNOSTIC_RULE} with a diganostic rule id, like DEPENDENT_ACTION
+        ${DIAGNOSTIC_RULE} = { enabled = false },
+      },
+    },
+  },
 })
 
 vim.lsp.enable("aws-iam-language-server")
@@ -82,3 +100,4 @@ This language server will provide diagnostics for some IAM policy issues, includ
 - effect has a valid value
 - defined actions are valid, or wildcards resolve to valid actions
 - arn parts are valid (partition, region, account id)
+- dependent actions (`ecs:RunTask` requires `iam:PassRole`)

package/src/extension.js

@@ -9,6 +9,9 @@ export function activate(context) {
     };
     client = new LanguageClient('aws-iam-language-server', 'AWS IAM Language Server', serverOptions, {
         documentSelector: [{ language: 'json' }, { language: 'yaml' }, { language: 'terraform' }, { language: 'opentofu' }],
+        synchronize: {
+            configurationSection: 'aws-iam-language-server',
+        },
     });
     client.start();
 }

package/src/handlers/diagnostics/action.d.ts

@@ -1,6 +1,8 @@
-import type { Diagnostic } from 'vscode-languageclient';
-import type { StatementEntry } from '../../lib/treesitter/base.ts';
+import { type Diagnostic } from 'vscode-languageserver';
+import type { PolicyDocumentNode, StatementEntry } from '../../lib/treesitter/base.ts';
 import { ElementValidator } from './base.ts';
 export declare class ActionValidator extends ElementValidator {
+    #private;
+    constructor(policyDocument: PolicyDocumentNode, actionKeys: Set<string>);
     validate(entry: StatementEntry): Array<Diagnostic>;
 }

package/src/handlers/diagnostics/action.js

@@ -1,14 +1,57 @@
+import { DiagnosticSeverity } from 'vscode-languageserver';
+import { isRuleEnabled } from "../../lib/config.js";
+import { ServiceReference } from "../../lib/iam-policy/reference/services.js";
 import { expandActionPattern } from "../../lib/iam-policy/wildcard.js";
 import { ElementValidator } from "./base.js";
 import { createDiagnostic } from "./utils.js";
 export class ActionValidator extends ElementValidator {
+    #policyDocument;
+    #actionKeys;
+    #expandedActions = null;
+    constructor(policyDocument, actionKeys) {
+        super();
+        this.#policyDocument = policyDocument;
+        this.#actionKeys = actionKeys;
+    }
     validate(entry) {
         const diagnostics = super.validate(entry);
         for (const value of entry.values) {
-            if (expandActionPattern(value.text).length === 0) {
-                diagnostics.push(createDiagnostic(`Unrecognized action "${value.text}"`, value.range));
+            const expanded = expandActionPattern(value.text);
+            if (isRuleEnabled('UNRECOGNIZED_ACTION')) {
+                if (expanded.length === 0) {
+                    diagnostics.push(createDiagnostic('UNRECOGNIZED_ACTION', `Unrecognized action "${value.text}"`, value.range));
+                    continue;
+                }
+            }
+            if (isRuleEnabled('DEPENDENT_ACTION')) {
+                const allActions = this.#getExpandedActions();
+                for (const action of expanded) {
+                    const actionDef = ServiceReference.getAction(action);
+                    if (!actionDef?.dependentActions)
+                        continue;
+                    const missing = actionDef.dependentActions.filter((dep) => !allActions.has(dep.toLowerCase()));
+                    if (missing.length > 0) {
+                        diagnostics.push(createDiagnostic('DEPENDENT_ACTION', `"${action}" requires dependent action${missing.length > 1 ? 's' : ''}: ${missing.join(', ')}`, value.range, DiagnosticSeverity.Warning));
+                    }
+                }
             }
         }
         return diagnostics;
     }
+    #getExpandedActions() {
+        if (this.#expandedActions)
+            return this.#expandedActions;
+        this.#expandedActions = new Set();
+        for (const statement of this.#policyDocument.statements) {
+            const actionEntry = statement.entries.find((e) => this.#actionKeys.has(e.key));
+            if (!actionEntry)
+                continue;
+            for (const value of actionEntry.values) {
+                for (const action of expandActionPattern(value.text)) {
+                    this.#expandedActions.add(action.toLowerCase());
+                }
+            }
+        }
+        return this.#expandedActions;
+    }
 }

package/src/handlers/diagnostics/base.js

@@ -1,3 +1,4 @@
+import { isRuleEnabled } from "../../lib/config.js";
 import { createDiagnostic } from "./utils.js";
 export class ElementValidator {
     #validated;
@@ -6,8 +7,8 @@ export class ElementValidator {
     }
     validate(entry) {
         const diagnostics = [];
-        if (this.#validated) {
-            diagnostics.push(createDiagnostic('duplicate statement key', entry.keyRange));
+        if (this.#validated && isRuleEnabled('DUPLICATE_KEY')) {
+            diagnostics.push(createDiagnostic('DUPLICATE_KEY', 'duplicate statement key', entry.keyRange));
         }
         this.#validated = true;
         return diagnostics;

package/src/handlers/diagnostics/diagnostics.js

@@ -1,3 +1,4 @@
+import { isRuleEnabled } from "../../lib/config.js";
 import { ActionValidator } from "./action.js";
 import { ConditionValidator } from "./condition.js";
 import { EffectValidator } from "./effect.js";
@@ -30,7 +31,7 @@ async function handleStandardDiagnostics(policyDocument) {
     const sidValidator = new SidValidator();
     const effectValidator = new EffectValidator();
     const principalValidator = new PrincipalValidator();
-    const actionValidator = new ActionValidator();
+    const actionValidator = new ActionValidator(policyDocument, new Set(['Action', 'NotAction']));
     const resourceValidator = new ResourceValidator();
     const conditionValidator = new ConditionValidator();
     for (const statement of policyDocument.statements) {
@@ -54,18 +55,20 @@ async function handleStandardDiagnostics(policyDocument) {
             else if (entry.key === 'Condition') {
                 diagnostics = diagnostics.concat(conditionValidator.validate(entry));
             }
-            else {
-                diagnostics.push(createDiagnostic(`Unrecognized entry "${entry.key}" in statement`, entry.keyRange));
+            else if (isRuleEnabled('UNRECOGNIZED_KEY')) {
+                diagnostics.push(createDiagnostic('UNRECOGNIZED_KEY', `Unrecognized entry "${entry.key}" in statement`, entry.keyRange));
             }
         }
-        if (!effectValidator.isValidated()) {
-            diagnostics.push(createDiagnostic(`Missing required "Effect" entry in statement`, statement.range));
+        if (!effectValidator.isValidated() && isRuleEnabled('MISSING_EFFECT')) {
+            diagnostics.push(createDiagnostic('MISSING_EFFECT', 'Missing required "Effect" entry in statement', statement.range));
         }
-        if (!actionValidator.isValidated()) {
-            diagnostics.push(createDiagnostic(`Missing required "Action" or "NotAction" entry in statement`, statement.range));
+        if (!actionValidator.isValidated() && isRuleEnabled('MISSING_ACTION')) {
+            diagnostics.push(createDiagnostic('MISSING_ACTION', 'Missing required "Action" or "NotAction" entry in statement', statement.range));
         }
-        if (!resourceValidator.isValidated() && !principalValidator.isValidated()) {
-            diagnostics.push(createDiagnostic(`Missing required "Resource"/"NotResource" or "Principal"/"NotPrincipal" entry in statement`, statement.range));
+        if (!resourceValidator.isValidated() &&
+            !principalValidator.isValidated() &&
+            isRuleEnabled('MISSING_RESOURCE_OR_PRINCIPAL')) {
+            diagnostics.push(createDiagnostic('MISSING_RESOURCE_OR_PRINCIPAL', 'Missing required "Resource"/"NotResource" or "Principal"/"NotPrincipal" entry in statement', statement.range));
         }
         [sidValidator, effectValidator, principalValidator, actionValidator, resourceValidator, conditionValidator].forEach((x) => {
             x.resetForStatement();
@@ -78,7 +81,7 @@ async function handleHclBlockDiagnostics(policyDocument) {
     const sidValidator = new SidValidator();
     const effectValidator = new EffectValidator();
     const principalValidator = new PrincipalValidator();
-    const actionValidator = new ActionValidator();
+    const actionValidator = new ActionValidator(policyDocument, new Set(['actions', 'not_actions']));
     const resourceValidator = new ResourceValidator();
     const conditionValidator = new ConditionValidator();
     for (const statement of policyDocument.statements) {
@@ -102,18 +105,20 @@ async function handleHclBlockDiagnostics(policyDocument) {
             else if (entry.key === 'condition') {
                 diagnostics = diagnostics.concat(conditionValidator.validate(entry));
             }
-            else {
-                diagnostics.push(createDiagnostic(`Unrecognized entry "${entry.key}" in statement`, entry.keyRange));
+            else if (isRuleEnabled('UNRECOGNIZED_KEY')) {
+                diagnostics.push(createDiagnostic('UNRECOGNIZED_KEY', `Unrecognized entry "${entry.key}" in statement`, entry.keyRange));
             }
         }
-        if (!effectValidator.isValidated()) {
-            diagnostics.push(createDiagnostic(`Missing required "effect" entry in statement`, statement.range));
+        if (!effectValidator.isValidated() && isRuleEnabled('MISSING_EFFECT')) {
+            diagnostics.push(createDiagnostic('MISSING_EFFECT', 'Missing required "effect" entry in statement', statement.range));
         }
-        if (!actionValidator.isValidated()) {
-            diagnostics.push(createDiagnostic(`Missing required "actions" or "not_actions" entry in statement`, statement.range));
+        if (!actionValidator.isValidated() && isRuleEnabled('MISSING_ACTION')) {
+            diagnostics.push(createDiagnostic('MISSING_ACTION', 'Missing required "actions" or "not_actions" entry in statement', statement.range));
         }
-        if (!resourceValidator.isValidated() && !principalValidator.isValidated()) {
-            diagnostics.push(createDiagnostic(`Missing required "resources"/"not_resources" or "principals"/"not_principals" entry in statement`, statement.range));
+        if (!resourceValidator.isValidated() &&
+            !principalValidator.isValidated() &&
+            isRuleEnabled('MISSING_RESOURCE_OR_PRINCIPAL')) {
+            diagnostics.push(createDiagnostic('MISSING_RESOURCE_OR_PRINCIPAL', 'Missing required "resources"/"not_resources" or "principals"/"not_principals" entry in statement', statement.range));
         }
         [sidValidator, effectValidator, principalValidator, actionValidator, resourceValidator, conditionValidator].forEach((x) => {
             x.resetForStatement();

package/src/handlers/diagnostics/effect.js

@@ -1,11 +1,12 @@
+import { isRuleEnabled } from "../../lib/config.js";
 import { ElementValidator } from "./base.js";
 import { createDiagnostic } from "./utils.js";
 export class EffectValidator extends ElementValidator {
     validate(entry) {
         const diagnostics = super.validate(entry);
         const value = entry.values[0]?.text;
-        if (value !== 'Allow' && value !== 'Deny') {
-            diagnostics.push(createDiagnostic(`effect value must be either "Allow" or "Deny"`, entry.valueRange));
+        if (isRuleEnabled('INVALID_EFFECT') && value !== 'Allow' && value !== 'Deny') {
+            diagnostics.push(createDiagnostic('INVALID_EFFECT', 'effect value must be either "Allow" or "Deny"', entry.valueRange));
         }
         return diagnostics;
     }

package/src/handlers/diagnostics/resource.js

@@ -1,3 +1,4 @@
+import { isRuleEnabled } from "../../lib/config.js";
 import { isRegionValidForPartition, isValidPartition, partitions } from "../../lib/iam-policy/partitions.js";
 import { ElementValidator } from "./base.js";
 import { createDiagnostic } from "./utils.js";
@@ -22,28 +23,28 @@ function validateArn(value) {
     if (!text.startsWith('arn:'))
         return [];
     const segments = text.split(':');
-    if (segments.length > 1) {
+    if (segments.length > 1 && isRuleEnabled('INVALID_PARTITION')) {
         const partition = segments[1];
         if (partition === '') {
-            diagnostics.push(createDiagnostic('partition is required', segmentRange(value, 1)));
+            diagnostics.push(createDiagnostic('INVALID_PARTITION', 'partition is required', segmentRange(value, 1)));
         }
         else if (partition !== '*' && !Object.keys(partitions).includes(partition)) {
-            diagnostics.push(createDiagnostic(`partition must be one of: ${[...validPartitions].join(',')}`, segmentRange(value, 1)));
+            diagnostics.push(createDiagnostic('INVALID_PARTITION', `partition must be one of: ${[...validPartitions].join(',')}`, segmentRange(value, 1)));
         }
     }
-    if (segments.length > 3) {
+    if (segments.length > 3 && isRuleEnabled('INVALID_REGION')) {
         const partition = segments[1];
         const region = segments[3];
         if (isValidPartition(partition)) {
             if (region !== '*' && region !== '' && !isRegionValidForPartition(partition, region)) {
-                diagnostics.push(createDiagnostic('invalid region for this partition', segmentRange(value, 3)));
+                diagnostics.push(createDiagnostic('INVALID_REGION', 'invalid region for this partition', segmentRange(value, 3)));
             }
         }
     }
-    if (segments.length > 4) {
+    if (segments.length > 4 && isRuleEnabled('INVALID_ACCOUNT')) {
         const account = segments[4];
         if (account !== '*' && account !== '' && !accountIdPattern.test(account)) {
-            diagnostics.push(createDiagnostic('expected account id to be 12 digits', segmentRange(value, 4)));
+            diagnostics.push(createDiagnostic('INVALID_ACCOUNT', 'expected account id to be 12 digits', segmentRange(value, 4)));
         }
     }
     return diagnostics;

package/src/handlers/diagnostics/sid.js

@@ -1,3 +1,4 @@
+import { isRuleEnabled } from "../../lib/config.js";
 import { ElementValidator } from "./base.js";
 import { createDiagnostic } from "./utils.js";
 const strictSidPattern = /^[A-Za-z0-9]*$/;
@@ -13,17 +14,17 @@ export class SidValidator extends ElementValidator {
         const sidValue = entry.values[0]?.text;
         if (!sidValue)
             return diagnostics;
-        if (sidValue in this.#sids) {
-            diagnostics.push(createDiagnostic(`Duplicate statement id value "${sidValue}"`, entry.valueRange));
-            diagnostics.push(createDiagnostic(`Duplicate statement id value "${sidValue}"`, this.#sids[sidValue].valueRange));
+        if (sidValue in this.#sids && isRuleEnabled('DUPLICATE_SID')) {
+            diagnostics.push(createDiagnostic('DUPLICATE_SID', `Duplicate statement id value "${sidValue}"`, entry.valueRange));
+            diagnostics.push(createDiagnostic('DUPLICATE_SID', `Duplicate statement id value "${sidValue}"`, this.#sids[sidValue].valueRange));
         }
         this.#sids[sidValue] = entry;
         const pattern = isResourcePolicy ? resourcePolicySidPattern : strictSidPattern;
-        if (!pattern.test(sidValue)) {
+        if (isRuleEnabled('INVALID_SID') && !pattern.test(sidValue)) {
             const message = isResourcePolicy
                 ? 'Sid must contain only ASCII letters (A-Z, a-z), digits (0-9), and spaces'
                 : 'Sid must contain only ASCII letters (A-Z, a-z) and digits (0-9)';
-            diagnostics.push(createDiagnostic(message, entry.values[0].range));
+            diagnostics.push(createDiagnostic('INVALID_SID', message, entry.values[0].range));
         }
         return diagnostics;
     }

package/src/handlers/diagnostics/utils.d.ts

@@ -1,3 +1,4 @@
-import type { Diagnostic } from 'vscode-languageclient';
+import { type Diagnostic, DiagnosticSeverity } from 'vscode-languageserver';
+import type { DiagnosticRuleId } from '../../lib/diagnostics.ts';
 import type { Range } from '../../lib/treesitter/base.ts';
-export declare function createDiagnostic(message: string, range: Range): Diagnostic;
+export declare function createDiagnostic(ruleId: DiagnosticRuleId, message: string, range: Range, severity?: DiagnosticSeverity): Diagnostic;

package/src/handlers/diagnostics/utils.js

@@ -1,6 +1,9 @@
-export function createDiagnostic(message, range) {
+import { DiagnosticSeverity } from 'vscode-languageserver';
+export function createDiagnostic(ruleId, message, range, severity = DiagnosticSeverity.Error) {
     return {
         source: 'aws-iam-language-server',
+        severity,
+        code: ruleId,
         message,
         range,
     };

package/src/lib/config.d.ts

@@ -0,0 +1,11 @@
+import { type DiagnosticRuleId } from './diagnostics.ts';
+export type DiagnosticRuleConfig = {
+    enabled: boolean;
+};
+export type ServerConfig = {
+    diagnostics: Record<DiagnosticRuleId, DiagnosticRuleConfig>;
+};
+export declare function getConfig(): ServerConfig;
+export declare function isRuleEnabled(ruleId: DiagnosticRuleId): boolean;
+export declare function resetConfig(): void;
+export declare function updateConfig(settings: Record<string, unknown> | undefined): void;

package/src/lib/config.js

@@ -0,0 +1,34 @@
+import { diagnosticRules } from "./diagnostics.js";
+function createDefaults() {
+    const diagnostics = {};
+    for (const key of Object.keys(diagnosticRules)) {
+        diagnostics[key] = { enabled: true };
+    }
+    return { diagnostics };
+}
+const config = createDefaults();
+export function getConfig() {
+    return config;
+}
+export function isRuleEnabled(ruleId) {
+    return config.diagnostics[ruleId].enabled;
+}
+export function resetConfig() {
+    const defaults = createDefaults();
+    for (const key of Object.keys(diagnosticRules)) {
+        config.diagnostics[key] = defaults.diagnostics[key];
+    }
+}
+export function updateConfig(settings) {
+    if (!settings)
+        return;
+    const diagnostics = settings.diagnostics;
+    if (!diagnostics)
+        return;
+    for (const key of Object.keys(diagnosticRules)) {
+        const ruleConfig = diagnostics[key];
+        if (ruleConfig && typeof ruleConfig.enabled === 'boolean') {
+            config.diagnostics[key].enabled = ruleConfig.enabled;
+        }
+    }
+}

package/src/lib/diagnostics.d.ts

@@ -0,0 +1,45 @@
+export type DiagnosticRule = {
+    description: string;
+};
+export declare const diagnosticRules: {
+    readonly DUPLICATE_KEY: {
+        readonly description: "Duplicate statement key";
+    };
+    readonly UNRECOGNIZED_KEY: {
+        readonly description: "Unrecognized entry in statement";
+    };
+    readonly MISSING_EFFECT: {
+        readonly description: "Missing required Effect entry";
+    };
+    readonly MISSING_ACTION: {
+        readonly description: "Missing required Action or NotAction entry";
+    };
+    readonly MISSING_RESOURCE_OR_PRINCIPAL: {
+        readonly description: "Missing required Resource/NotResource or Principal/NotPrincipal entry";
+    };
+    readonly INVALID_EFFECT: {
+        readonly description: "Effect value must be Allow or Deny";
+    };
+    readonly DUPLICATE_SID: {
+        readonly description: "Duplicate Sid value across statements";
+    };
+    readonly INVALID_SID: {
+        readonly description: "Sid contains invalid characters";
+    };
+    readonly UNRECOGNIZED_ACTION: {
+        readonly description: "Action does not match any known IAM action";
+    };
+    readonly DEPENDENT_ACTION: {
+        readonly description: "Action requires dependent actions not granted in the same statement";
+    };
+    readonly INVALID_PARTITION: {
+        readonly description: "Invalid or missing partition in resource ARN";
+    };
+    readonly INVALID_REGION: {
+        readonly description: "Invalid region for the specified partition";
+    };
+    readonly INVALID_ACCOUNT: {
+        readonly description: "Account ID must be 12 digits";
+    };
+};
+export type DiagnosticRuleId = keyof typeof diagnosticRules;

package/src/lib/diagnostics.js

@@ -0,0 +1,41 @@
+export const diagnosticRules = {
+    DUPLICATE_KEY: {
+        description: 'Duplicate statement key',
+    },
+    UNRECOGNIZED_KEY: {
+        description: 'Unrecognized entry in statement',
+    },
+    MISSING_EFFECT: {
+        description: 'Missing required Effect entry',
+    },
+    MISSING_ACTION: {
+        description: 'Missing required Action or NotAction entry',
+    },
+    MISSING_RESOURCE_OR_PRINCIPAL: {
+        description: 'Missing required Resource/NotResource or Principal/NotPrincipal entry',
+    },
+    INVALID_EFFECT: {
+        description: 'Effect value must be Allow or Deny',
+    },
+    DUPLICATE_SID: {
+        description: 'Duplicate Sid value across statements',
+    },
+    INVALID_SID: {
+        description: 'Sid contains invalid characters',
+    },
+    UNRECOGNIZED_ACTION: {
+        description: 'Action does not match any known IAM action',
+    },
+    DEPENDENT_ACTION: {
+        description: 'Action requires dependent actions not granted in the same statement',
+    },
+    INVALID_PARTITION: {
+        description: 'Invalid or missing partition in resource ARN',
+    },
+    INVALID_REGION: {
+        description: 'Invalid region for the specified partition',
+    },
+    INVALID_ACCOUNT: {
+        description: 'Account ID must be 12 digits',
+    },
+};

package/src/lib/iam-policy/arn.js

@@ -43,7 +43,7 @@ function tokensMatch(a, b) {
  * handles both `function:name` and `role/name` patterns.
  */
 function tokenizeResource(resource) {
-    return resource.split(/(?<=[:\/])|(?=[:\/])/);
+    return resource.split(/(?<=[:/])|(?=[:/])/);
 }
 /**
  * Check if the resource portion of a user ARN matches a template resource pattern.

package/src/server.js

@@ -5,11 +5,13 @@ import { handleCompletionRequest } from "./handlers/completion/index.js";
 import { diagnosticsHandler } from "./handlers/diagnostics/diagnostics.js";
 import { documentLinkHandler } from "./handlers/document-link/document-link.js";
 import { hoverHandler } from "./handlers/hover/index.js";
+import { updateConfig } from "./lib/config.js";
 import { TreeManager } from "./lib/treesitter/manager.js";
 const connection = createConnection();
 const documents = new TextDocuments(TextDocument);
 const treeManager = new TreeManager(connection);
-connection.onInitialize(async () => {
+connection.onInitialize(async (params) => {
+    updateConfig(params.initializationOptions);
     connection.console.log(`Started the AWS IAM Policy Language Server`);
     return {
         capabilities: {
@@ -22,6 +24,12 @@ connection.onInitialize(async () => {
         },
     };
 });
+connection.onDidChangeConfiguration(async (params) => {
+    updateConfig(params.settings?.['aws-iam-language-server']);
+    for (const document of documents.all()) {
+        await diagnosticsHandler(document, treeManager, connection);
+    }
+});
 documents.onDidOpen(async ({ document }) => {
     await treeManager.openDocument(document.uri, document.getText(), document.languageId);
     await diagnosticsHandler(document, treeManager, connection);